« back to all changes in this revision
Viewing changes to src/key_mod/ecryptfs_key_mod_pkcs11_helper.c
- browse files at revision 2
- compare with another revision
- download diff
- download tarball
- view history from revision 2
- Committer: mhalcrow@us.ibm.com
- Date: 2007-11-06 22:56:01 UTC
- Revision ID: git-v1:f8357de9d554b274497b5cce9db4347254b7e7eb
Initial import of eCryptfs filesystem userspace utilities (mount helper, daemon component,
etc.)
etc.)
added
removed
src/key_mod/ecryptfs_key_mod_pkcs11_helper.c
1
/**
2
* Copyright (C) 2006-2007 International Business Machines Corp.
3
* Author(s): Alon Bar-Lev <alon.barlev@gmail.com>, based on:
4
* Trevor S. Highland <trevor.highland@gmail.com>
5
* Mike Halcrow <mhalcrow@us.ibm.com>
6
*
7
* This program is free software; you can redistribute it and/or
8
* modify it under the terms of the GNU General Public License as
9
* published by the Free Software Foundation; either version 2 of the
10
* License, or (at your option) any later version.
11
*
12
* This program is distributed in the hope that it will be useful, but
13
* WITHOUT ANY WARRANTY; without even the implied warranty of
14
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15
* General Public License for more details.
16
*
17
* You should have received a copy of the GNU General Public License
18
* along with this program; if not, write to the Free Software
19
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
20
* 02111-1307, USA.
21
*/
22
23
#include <fcntl.h>
24
#include <pwd.h>
25
#include <stdio.h>
26
#include <string.h>
27
#include <syslog.h>
28
#include <errno.h>
29
#include <stdlib.h>
30
#include <unistd.h>
31
#include <openssl/x509.h>
32
#include <sys/types.h>
33
#include <sys/stat.h>
34
#include <pkcs11-helper-1.0/pkcs11h-certificate.h>
35
#include "config.h"
36
#include "../include/ecryptfs.h"
37
#include "../include/decision_graph.h"
38
39
struct pkcs11h_data {
40
char *serialized_id;
41
unsigned char *certificate_blob;
42
size_t certificate_blob_size;
43
char *passphrase;
44
};
45
46
struct pkcs11h_subgraph_key_ctx {
47
struct ecryptfs_key_mod *key_mod;
48
struct pkcs11h_data pkcs11h_data;
49
};
50
51
struct pkcs11h_subgraph_provider_ctx {
52
struct ecryptfs_key_mod *key_mod;
53
char *name;
54
char *library;
55
int allow_protected_authentication;
56
int certificate_is_private;
57
unsigned private_mask;
58
};
59
60
#if OPENSSL_VERSION_NUMBER < 0x00908000L
61
typedef unsigned char *__pkcs11_openssl_d2i_t;
62
#else
63
typedef const unsigned char *__pkcs11_openssl_d2i_t;
64
#endif
65
66
/**
67
* ecryptfs_pkcs11h_deserialize
68
* @pkcs11h_data: The deserialized version of the key module data;
69
* internal components pointed to blob memory
70
* @blob: The key module-specific state blob
71
*
72
*/
73
static int ecryptfs_pkcs11h_deserialize(struct pkcs11h_data *pkcs11h_data,
74
unsigned char *blob)
75
{
76
size_t serialized_id_length;
77
size_t passphrase_length;
78
size_t i = 0;
79
int rc;
80
81
serialized_id_length = blob[i++] % 256;
82
serialized_id_length += blob[i++] << 8;
83
if (serialized_id_length == 0) {
84
pkcs11h_data->serialized_id = NULL;
85
}
86
else {
87
pkcs11h_data->serialized_id = blob + i;
88
i += serialized_id_length;
89
}
90
pkcs11h_data->certificate_blob_size = blob[i++] % 256;
91
pkcs11h_data->certificate_blob_size += blob[i++] << 8;
92
if (pkcs11h_data->certificate_blob_size == 0) {
93
pkcs11h_data->certificate_blob = NULL;
94
}
95
else {
96
pkcs11h_data->certificate_blob = blob + i;
97
i += pkcs11h_data->certificate_blob_size;
98
}
99
passphrase_length = blob[i++] % 256;
100
passphrase_length += blob[i++] << 8;
101
if (passphrase_length == 0) {
102
pkcs11h_data->passphrase = NULL;
103
}
104
else {
105
pkcs11h_data->passphrase = blob + i;
106
i += passphrase_length;
107
}
108
109
rc = 0;
110
out:
111
return rc;
112
}
113
114
/**
115
* @blob: Callee allocates this memory
116
*/
117
static int ecryptfs_pkcs11h_serialize(unsigned char *blob, size_t *blob_size,
118
struct pkcs11h_data *pkcs11h_data)
119
{
120
#define PUSHSER1(x) do { if (blob) { blob[i] = x; } i++; } while (0)
121
#define PUSHSERN(x,s) do { if (blob) { memcpy(&blob[i], x, s); } i+=s; } while (0)
122
size_t serialized_id_length;
123
size_t passphrase_length;
124
size_t i = 0;
125
int rc = 0;
126
127
(*blob_size) = 0;
128
if (!pkcs11h_data->serialized_id) {
129
rc = -EINVAL;
130
syslog(LOG_ERR, "PKCS#11: pkcs11h_data internal structure not properly filled in\n");
131
goto out;
132
}
133
serialized_id_length = strlen(pkcs11h_data->serialized_id) + 1; /* + '\0' */
134
PUSHSER1(serialized_id_length % 256);
135
PUSHSER1(serialized_id_length >> 8);
136
PUSHSERN(pkcs11h_data->serialized_id, serialized_id_length);
137
PUSHSER1(pkcs11h_data->certificate_blob_size % 256);
138
PUSHSER1(pkcs11h_data->certificate_blob_size >> 8);
139
PUSHSERN(pkcs11h_data->certificate_blob, pkcs11h_data->certificate_blob_size);
140
passphrase_length = strlen(pkcs11h_data->passphrase) + 1; /* + '\0' */
141
PUSHSER1(passphrase_length % 256);
142
PUSHSER1(passphrase_length >> 8);
143
PUSHSERN(pkcs11h_data->passphrase, passphrase_length);
144
(*blob_size) = i;
145
out:
146
return rc;
147
#undef PUSHSER1
148
#undef PUSHSERN
149
}
150
151
static
152
void
153
pkcs11h_log (
154
void * const global_data,
155
unsigned flags,
156
const char * const format,
157
va_list args
158
) {
159
vsyslog(LOG_INFO, format, args);
160
}
161
162
static
163
PKCS11H_BOOL
164
pkcs11h_token_prompt (
165
void * const global_data,
166
void * const user_data,
167
const pkcs11h_token_id_t token,
168
const unsigned retry
169
) {
170
(void)global_data;
171
(void)user_data;
172
(void)retry;
173
174
return FALSE;
175
}
176
177
static
178
PKCS11H_BOOL
179
pkcs11h_pin_prompt (
180
void * const global_data,
181
void * const user_data,
182
const pkcs11h_token_id_t token,
183
const unsigned retry,
184
char * const pin,
185
const size_t pin_max
186
) {
187
char *prompt = NULL;
188
int use_static_password = 0;
189
int rc;
190
191
(void)global_data;
192
193
if (asprintf (&prompt, "Please enter PIN for token '%s'", token->display) == -1) {
194
rc = -ENOMEM;
195
goto out;
196
}
197
198
/* TEMP TEMP TEMP - BEGIN
199
* Until we can affect ecryptfs context via daemon */
200
if (cryptfs_get_ctx_opts ()->prompt) {
201
rc = cryptfs_get_ctx_opts ()->prompt ("password", prompt, pin, pin_max);
202
if (rc == -EINVAL) {
203
use_static_password = 1;
204
}
205
else {
206
goto out;
207
}
208
}
209
else {
210
use_static_password = 1;
211
}
212
213
if (use_static_password) {
214
if (retry != 0 || user_data == NULL) {
215
rc = -EIO;
216
goto out;
217
}
218
strncpy (pin, (char *)user_data, pin_max-1);
219
pin[pin_max-1] = '\x0';
220
}
221
222
rc = 0;
223
224
/* TEMP TEMP TEMP - END */
225
out:
226
227
if (prompt != NULL) {
228
free (prompt);
229
}
230
231
return rc == 0;
232
}
233
234
/**
235
* ecryptfs_pkcs11h_get_public_key
236
* @rsa: RSA key to allocate
237
* @blob: Key module data to use in finding the key
238
*/
239
static int ecryptfs_pkcs11h_get_public_key(RSA **rsa, unsigned char *blob)
240
{
241
struct pkcs11h_data _pkcs11h_data;
242
struct pkcs11h_data *pkcs11h_data = &_pkcs11h_data;
243
X509 *x509 = NULL;
244
EVP_PKEY *pubkey = NULL;
245
__pkcs11_openssl_d2i_t d2i1 = NULL;
246
int rc;
247
248
if ((rc = ecryptfs_pkcs11h_deserialize(pkcs11h_data, blob)) != 0) {
249
goto out;
250
}
251
252
if ((x509 = X509_new ()) == NULL) {
253
syslog(LOG_ERR, "PKCS#11: Unable to allocate certificate object");
254
rc = -ENOMEM;
255
goto out;
256
}
257
258
d2i1 = (__pkcs11_openssl_d2i_t)pkcs11h_data->certificate_blob;
259
if (!d2i_X509 (&x509, &d2i1, pkcs11h_data->certificate_blob_size)) {
260
syslog(LOG_ERR, "PKCS#11: Unable to parse X.509 certificate");
261
rc = -EIO;
262
goto out;
263
}
264
265
if ((pubkey = X509_get_pubkey(x509)) == NULL) {
266
syslog(LOG_ERR, "PKCS#11: Cannot get public key");
267
rc = -EIO;
268
goto out;
269
}
270
271
if (pubkey->type != EVP_PKEY_RSA) {
272
syslog(LOG_ERR, "PKCS#11: Invalid public key algorithm");
273
rc = -EIO;
274
goto out;
275
}
276
277
if (
278
(*rsa = EVP_PKEY_get1_RSA(pubkey)) == NULL
279
) {
280
syslog(LOG_ERR, "PKCS#11: Cannot get RSA key");
281
rc = -EIO;
282
goto out;
283
}
284
285
rc = 0;
286
out:
287
if (pubkey != NULL) {
288
EVP_PKEY_free(pubkey);
289
pubkey = NULL;
290
}
291
292
if (x509 != NULL) {
293
X509_free(x509);
294
x509 = NULL;
295
}
296
297
return rc;
298
}
299
300
static int ecryptfs_pkcs11h_get_key_sig(unsigned char *sig, unsigned char *blob)
301
{
302
RSA *rsa = NULL;
303
int len, nbits, ebits, i;
304
int nbytes, ebytes;
305
char *hash = NULL;
306
char *data = NULL;
307
int rc;
308
309
if ((rc = ecryptfs_pkcs11h_get_public_key(&rsa, blob))) {
310
syslog(LOG_ERR, "PKCS#11: Error attempting to read RSA key from token; rc=[%d]\n", rc);
311
goto out;
312
}
313
314
hash = malloc(SHA_DIGEST_LENGTH);
315
if (!hash) {
316
syslog(LOG_ERR, "PKCS#11: Out of memory\n");
317
rc = -ENOMEM;
318
goto out;
319
}
320
nbits = BN_num_bits(rsa->n);
321
nbytes = nbits / 8;
322
if (nbits % 8)
323
nbytes++;
324
ebits = BN_num_bits(rsa->e);
325
ebytes = ebits / 8;
326
if (ebits % 8)
327
ebytes++;
328
len = 10 + nbytes + ebytes;
329
data = malloc(3 + len);
330
if (!data) {
331
syslog(LOG_ERR, "PKCS#11: Out of memory\n");
332
rc = -ENOMEM;
333
goto out;
334
}
335
i = 0;
336
data[i++] = '\x99';
337
data[i++] = (char)(len >> 8);
338
data[i++] = (char)len;
339
data[i++] = '\x04';
340
data[i++] = '\00';
341
data[i++] = '\00';
342
data[i++] = '\00';
343
data[i++] = '\00';
344
data[i++] = '\02';
345
data[i++] = (char)(nbits >> 8);
346
data[i++] = (char)nbits;
347
BN_bn2bin(rsa->n, &(data[i]));
348
i += nbytes;
349
data[i++] = (char)(ebits >> 8);
350
data[i++] = (char)ebits;
351
BN_bn2bin(rsa->e, &(data[i]));
352
i += ebytes;
353
SHA1(data, len + 3, hash);
354
to_hex(sig, hash, ECRYPTFS_SIG_SIZE);
355
sig[ECRYPTFS_SIG_SIZE_HEX] = '\0';
356
357
rc = 0;
358
out:
359
if (rc != 0) {
360
syslog(LOG_ERR, "PKCS#11: Error attempting to generate key signature; rc=[%d]\n", rc);
361
}
362
363
if (data != NULL) {
364
free(data);
365
data = NULL;
366
}
367
if (hash != NULL) {
368
free(hash);
369
hash = NULL;
370
}
371
372
if (rsa != NULL) {
373
RSA_free(rsa);
374
rsa = NULL;
375
}
376
377
return rc;
378
}
379
380
/**
381
* ecryptfs_pkcs11h_encrypt
382
* @to: Where to write encrypted data
383
* @size: Number of bytes to encrypt
384
* @from: Data to encrypt
385
* @blob: Arbitrary blob specific to this key module
386
*
387
* Encrypt @size bytes of data in @from, writing the encrypted data
388
* into @to, using @blob as the parameters for the
389
* encryption.
390
*/
391
static int ecryptfs_pkcs11h_encrypt(char *to, size_t *to_size, char *from,
392
size_t from_size, unsigned char *blob,
393
int blob_type)
394
{
395
RSA *rsa = NULL;
396
int rc;
397
398
if (to == NULL) {
399
*to_size = 0;
400
}
401
402
if ((rc = ecryptfs_pkcs11h_get_public_key(&rsa, blob))) {
403
syslog(LOG_ERR, "PKCS#11: Error attempting to read RSA key from token; rc=[%d]\n", rc);
404
goto out;
405
}
406
407
(*to_size) = RSA_size(rsa);
408
if (to) {
409
if (
410
(rc = RSA_public_encrypt(
411
from_size,
412
from,
413
to,
414
rsa,
415
RSA_PKCS1_PADDING
416
)) == -1
417
) {
418
rc = -(int)ERR_get_error();
419
syslog(LOG_ERR, "PKCS#11: Error attempting to perform RSA public key encryption; rc=[%d]\n", rc);
420
goto out;
421
}
422
423
(*to_size) = rc;
424
}
425
426
rc = 0;
427
out:
428
if (rsa != NULL) {
429
RSA_free(rsa);
430
rsa = NULL;
431
}
432
433
return rc;
434
}
435
436
/**
437
* ecryptfs_pkcs11h_dencrypt
438
* @from: Data to decrypt
439
* @to: Where to write decrypted data
440
* @decrypted_key_size: Number of bytes decrypted
441
* @blob: Arbitrary blob specific to this key module
442
*
443
* Decrypt data in @from, writing the decrypted data into @to, using
444
* @blob as the parameters for the encryption.
445
*/
446
static int ecryptfs_pkcs11h_decrypt(char *to, size_t *to_size, char *from,
447
size_t from_size, unsigned char *blob,
448
int blob_type)
449
{
450
struct pkcs11h_data _pkcs11h_data;
451
struct pkcs11h_data *pkcs11h_data = &_pkcs11h_data;
452
pkcs11h_certificate_id_t certificate_id = NULL;
453
pkcs11h_certificate_t certificate = NULL;
454
CK_RV rv = CKR_OK;
455
int rc;
456
457
if (to == NULL) {
458
*to_size = 0;
459
}
460
461
if ((rc = ecryptfs_pkcs11h_deserialize(pkcs11h_data, blob)) != 0) {
462
goto out;
463
}
464
465
if (
466
(rv = pkcs11h_certificate_deserializeCertificateId (
467
&certificate_id,
468
pkcs11h_data->serialized_id
469
)) != CKR_OK
470
) {
471
syslog(LOG_ERR, "PKCS#11: Cannot deserialize id rv=[%ld-'%s']", rv, pkcs11h_getMessage (rv));
472
rc = -EIO;
473
goto out;
474
}
475
476
if (
477
pkcs11h_data->certificate_blob != NULL &&
478
(rv = pkcs11h_certificate_setCertificateIdCertificateBlob (
479
certificate_id,
480
pkcs11h_data->certificate_blob,
481
pkcs11h_data->certificate_blob_size
482
)) != CKR_OK
483
) {
484
syslog(LOG_ERR, "PKCS#11: Cannot set certificate blob rv=[%ld-'%s']", rv, pkcs11h_getMessage (rv));
485
rc = -EIO;
486
goto out;
487
}
488
489
if (
490
(rv = pkcs11h_certificate_create (
491
certificate_id,
492
pkcs11h_data->passphrase,
493
PKCS11H_PROMPT_MASK_ALLOW_ALL,
494
PKCS11H_PIN_CACHE_INFINITE,
495
&certificate
496
)) != CKR_OK
497
) {
498
syslog(LOG_ERR, "PKCS#11: Cannot create certificate handle rv=[%ld-'%s']", rv, pkcs11h_getMessage (rv));
499
rc = -EIO;
500
goto out;
501
}
502
503
if (
504
(rv = pkcs11h_certificate_decryptAny (
505
certificate,
506
CKM_RSA_PKCS,
507
from,
508
from_size,
509
to,
510
to_size
511
)) != CKR_OK
512
) {
513
syslog(LOG_ERR, "PKCS#11: Cannot decrypt rv=[%ld-'%s']", rv, pkcs11h_getMessage (rv));
514
rc = -EIO;
515
goto out;
516
}
517
518
519
/*
520
* As we cannot store context between
521
* calls, we must end PKCS#11 operation
522
* or token will fail with operation
523
* in progress.
524
*/
525
if (to == NULL) {
526
char *tmp = (char *)malloc(*to_size);
527
if (tmp == NULL) {
528
rc = -ENOMEM;
529
goto out;
530
}
531
532
pkcs11h_certificate_decryptAny (
533
certificate,
534
CKM_RSA_PKCS,
535
from,
536
from_size,
537
tmp,
538
to_size
539
);
540
541
free(tmp);
542
tmp = NULL;
543
}
544
545
rc = 0;
546
out:
547
if (certificate != NULL) {
548
pkcs11h_certificate_freeCertificate (certificate);
549
certificate = NULL;
550
}
551
552
if (certificate_id != NULL) {
553
pkcs11h_certificate_freeCertificateId (certificate_id);
554
certificate_id = NULL;
555
}
556
557
return rc;
558
}
559
560
static int pkcs11h_get_id_list (char **list) {
561
pkcs11h_certificate_id_list_t user_certificates = NULL;
562
pkcs11h_certificate_id_list_t current = NULL;
563
CK_RV rv = CKR_FUNCTION_FAILED;
564
char *s = NULL;
565
int rc;
566
567
*list = NULL;
568
569
if (
570
(rv = pkcs11h_certificate_enumCertificateIds (
571
PKCS11H_ENUM_METHOD_CACHE_EXIST,
572
NULL,
573
PKCS11H_PROMPT_MASK_ALLOW_ALL,
574
NULL,
575
&user_certificates
576
)) != CKR_OK
577
) {
578
syslog(LOG_ERR, "PKCS#11: Cannot enumerate certificates rv=[%ld-'%s']", rv, pkcs11h_getMessage (rv));
579
rc = -EIO;
580
goto cleanup;
581
}
582
583
for (current = user_certificates; current != NULL; current = current->next) {
584
pkcs11h_certificate_t certificate = NULL;
585
X509 *x509 = NULL;
586
BIO *bio = NULL;
587
__pkcs11_openssl_d2i_t d2i1 = NULL;
588
unsigned char *certificate_blob = NULL;
589
size_t certificate_blob_size;
590
char dn[1024] = {0};
591
char serial[1024] = {0};
592
char *ser = NULL;
593
char *ssh_key = NULL;
594
size_t ser_len = 0;
595
int n;
596
597
if (
598
(rv = pkcs11h_certificate_serializeCertificateId (
599
NULL,
600
&ser_len,
601
current->certificate_id
602
)) != CKR_OK
603
) {
604
syslog(LOG_ERR, "PKCS#11: Cannot serialize certificate id certificates rv=[%ld-'%s']", rv, pkcs11h_getMessage (rv));
605
rc = -EIO;
606
goto cleanup1;
607
}
608
609
if (
610
(ser = (char *)malloc (ser_len)) == NULL
611
) {
612
syslog(LOG_ERR, "PKCS#11: Cannot allocate memory");
613
rc = -ENOMEM;
614
goto cleanup1;
615
}
616
617
if (
618
(rv = pkcs11h_certificate_serializeCertificateId (
619
ser,
620
&ser_len,
621
current->certificate_id
622
)) != CKR_OK
623
) {
624
syslog(LOG_ERR, "PKCS#11: Cannot serialize certificate id certificates rv=[%ld-'%s']", rv, pkcs11h_getMessage (rv));
625
rc = -EIO;
626
goto cleanup1;
627
}
628
629
if (
630
(rv = pkcs11h_certificate_create (
631
current->certificate_id,
632
NULL,
633
PKCS11H_PROMPT_MASK_ALLOW_ALL,
634
PKCS11H_PIN_CACHE_INFINITE,
635
&certificate
636
)) != CKR_OK
637
) {
638
syslog(LOG_ERR, "PKCS#11: Cannot create certificate rv=[%ld-'%s']", rv, pkcs11h_getMessage (rv));
639
rc = -EIO;
640
goto cleanup1;
641
}
642
643
if (
644
(rv = pkcs11h_certificate_getCertificateBlob (
645
certificate,
646
NULL,
647
&certificate_blob_size
648
)) != CKR_OK
649
) {
650
syslog(LOG_ERR, "PKCS#11: Cannot load certificate rv=[%ld-'%s']", rv, pkcs11h_getMessage (rv));
651
rc = -EIO;
652
goto cleanup1;
653
}
654
655
certificate_blob = malloc(certificate_blob_size);
656
if (!certificate_blob) {
657
syslog(LOG_ERR, "Out of memory\n");
658
rc = -ENOMEM;
659
goto cleanup1;
660
}
661
662
if (
663
(rv = pkcs11h_certificate_getCertificateBlob (
664
certificate,
665
certificate_blob,
666
&certificate_blob_size
667
)) != CKR_OK
668
) {
669
syslog(LOG_ERR, "PKCS#11: Cannot load certificate rv=[%ld-'%s']", rv, pkcs11h_getMessage (rv));
670
rc = -EIO;
671
goto cleanup1;
672
}
673
674
if ((x509 = X509_new ()) == NULL) {
675
syslog(LOG_ERR, "PKCS#11: Unable to allocate certificate object");
676
rc = -ENOMEM;
677
goto cleanup1;
678
}
679
680
d2i1 = (__pkcs11_openssl_d2i_t)certificate_blob;
681
if (!d2i_X509 (&x509, &d2i1, certificate_blob_size)) {
682
syslog(LOG_ERR, "PKCS#11: Unable to parse X.509 certificate");
683
rc = -EIO;
684
goto cleanup1;
685
}
686
687
X509_NAME_oneline (
688
X509_get_subject_name (x509),
689
dn,
690
sizeof(dn)
691
);
692
693
if ((bio = BIO_new (BIO_s_mem ())) == NULL) {
694
syslog(LOG_ERR, "PKCS#11: Cannot create BIO");
695
rc = -EIO;
696
goto cleanup1;
697
}
698
699
i2a_ASN1_INTEGER(bio, X509_get_serialNumber (x509));
700
n = BIO_read (bio, serial, sizeof(serial)-1);
701
if (n<0) {
702
serial[0] = '\x0';
703
}
704
else {
705
serial[n] = 0;
706
}
707
708
{
709
char *t = NULL;
710
711
if (asprintf (&t, "%s%s (%s) [%s]\n", s!=NULL?s:"", dn, serial, ser) == -1) {
712
rc = -ENOMEM;
713
goto cleanup1;
714
}
715
if (s != NULL) {
716
free(s);
717
}
718
s = t;
719
}
720
721
cleanup1:
722
if (certificate_blob != NULL) {
723
free(certificate_blob);
724
certificate_blob = NULL;
725
}
726
727
if (x509 != NULL) {
728
X509_free(x509);
729
x509 = NULL;
730
}
731
732
if (bio != NULL) {
733
BIO_free_all (bio);
734
bio = NULL;
735
}
736
737
if (certificate != NULL) {
738
pkcs11h_certificate_freeCertificate (certificate);
739
certificate = NULL;
740
}
741
742
if (ser != NULL) {
743
free(ser);
744
ser = NULL;
745
}
746
}
747
748
*list = s;
749
s = NULL;
750
rc = 0;
751
752
cleanup:
753
754
if (user_certificates != NULL) {
755
pkcs11h_certificate_freeCertificateIdList (user_certificates);
756
user_certificates = NULL;
757
}
758
759
if (s != NULL) {
760
free(s);
761
s = NULL;
762
}
763
764
return rc;
765
}
766
767
static int ecryptfs_pkcs11h_process_key(struct pkcs11h_subgraph_key_ctx *subgraph_key_ctx,
768
struct val_node **mnt_params)
769
{
770
struct pkcs11h_data *pkcs11h_data = &subgraph_key_ctx->pkcs11h_data;
771
pkcs11h_certificate_id_t certificate_id = NULL;
772
pkcs11h_certificate_t certificate = NULL;
773
size_t blob_size;
774
char *sig_mnt_opt;
775
char sig[ECRYPTFS_SIG_SIZE_HEX + 1];
776
CK_RV rv;
777
int rc;
778
779
if (
780
(rv = pkcs11h_certificate_deserializeCertificateId (
781
&certificate_id,
782
pkcs11h_data->serialized_id
783
)) != CKR_OK
784
) {
785
syslog(LOG_ERR, "PKCS#11: Cannot deserialize id rv=[%ld-'%s']", rv, pkcs11h_getMessage (rv));
786
rc = -EIO;
787
goto out;
788
}
789
790
if (
791
(rv = pkcs11h_certificate_create (
792
certificate_id,
793
pkcs11h_data->passphrase,
794
PKCS11H_PROMPT_MASK_ALLOW_ALL,
795
PKCS11H_PIN_CACHE_INFINITE,
796
&certificate
797
)) != CKR_OK
798
) {
799
syslog(LOG_ERR, "PKCS#11: Cannot get certificate rv=[%ld-'%s']", rv, pkcs11h_getMessage (rv));
800
rc = -EIO;
801
goto out;
802
}
803
804
if (pkcs11h_data->certificate_blob == NULL) {
805
if (
806
(rv = pkcs11h_certificate_getCertificateBlob (
807
certificate,
808
NULL,
809
&pkcs11h_data->certificate_blob_size
810
)) != CKR_OK
811
) {
812
syslog(LOG_ERR, "PKCS#11: Cannot load certificate rv=[%ld-'%s']", rv, pkcs11h_getMessage (rv));
813
rc = -EIO;
814
goto out;
815
}
816
817
pkcs11h_data->certificate_blob = malloc(pkcs11h_data->certificate_blob_size);
818
if (!pkcs11h_data->certificate_blob) {
819
syslog(LOG_ERR, "PKCS#11: Out of memory\n");
820
rc = -ENOMEM;
821
goto out;
822
}
823
824
if (
825
(rv = pkcs11h_certificate_getCertificateBlob (
826
certificate,
827
pkcs11h_data->certificate_blob,
828
&pkcs11h_data->certificate_blob_size
829
)) != CKR_OK
830
) {
831
syslog(LOG_ERR, "PKCS#11: Cannot load certificate rv=[%ld-'%s']", rv, pkcs11h_getMessage (rv));
832
rc = -EIO;
833
goto out;
834
}
835
}
836
837
if ((rc = ecryptfs_pkcs11h_serialize(NULL, &blob_size,
838
pkcs11h_data))) {
839
syslog(LOG_ERR, "PKCS#11: Error serializing pkcs11; rc=[%d]\n", rc);
840
rc = MOUNT_ERROR;
841
goto out;
842
}
843
if (blob_size == 0) {
844
syslog(LOG_ERR, "PKCS#11: Error serializing pkcs11\n");
845
rc = MOUNT_ERROR;
846
goto out;
847
}
848
if ((subgraph_key_ctx->key_mod->blob = malloc(blob_size)) == NULL) {
849
syslog(LOG_ERR, "PKCS#11: Out of memory\n");
850
rc = MOUNT_ERROR;
851
goto out;
852
}
853
if ((rc = ecryptfs_pkcs11h_serialize(subgraph_key_ctx->key_mod->blob,
854
&subgraph_key_ctx->key_mod->blob_size,
855
pkcs11h_data))) {
856
syslog(LOG_ERR, "PKCS#11: Error serializing pkcs11; rc=[%d]\n", rc);
857
rc = MOUNT_ERROR;
858
goto out;
859
}
860
if (subgraph_key_ctx->key_mod->blob_size != blob_size) {
861
syslog(LOG_ERR, "PKCS#11: %s: Internal error\n", __FUNCTION__);
862
exit(1);
863
}
864
if ((rc = ecryptfs_add_key_module_key_to_keyring(sig, subgraph_key_ctx->key_mod)) < 0) {
865
syslog(
866
LOG_ERR,
867
"PKCS#11: Error attempting to add key to keyring for key module [%s]; rc=[%d]\n",
868
subgraph_key_ctx->key_mod->alias,
869
rc
870
);
871
rc = MOUNT_ERROR;
872
goto out;
873
}
874
if ((rc = asprintf(&sig_mnt_opt, "ecryptfs_sig=%s", sig)) == -1) {
875
rc = MOUNT_ERROR;
876
goto out;
877
}
878
rc = 0;
879
stack_push(mnt_params, sig_mnt_opt);
880
out:
881
if (certificate != NULL) {
882
pkcs11h_certificate_freeCertificate (certificate);
883
certificate = NULL;
884
}
885
886
if (certificate_id != NULL) {
887
pkcs11h_certificate_freeCertificateId (certificate_id);
888
certificate_id = NULL;
889
}
890
891
return rc;
892
}
893
894
static void
895
tf_ecryptfs_pkcs11h_destroy_subgraph_key_ctx(struct pkcs11h_subgraph_key_ctx *ctx)
896
{
897
if (ctx->pkcs11h_data.serialized_id != NULL) {
898
free(ctx->pkcs11h_data.serialized_id);
899
}
900
if (ctx->pkcs11h_data.passphrase != NULL) {
901
memset(ctx->pkcs11h_data.passphrase, 0, strlen(ctx->pkcs11h_data.passphrase));
902
free(ctx->pkcs11h_data.passphrase);
903
}
904
if (ctx->pkcs11h_data.certificate_blob != NULL) {
905
free(ctx->pkcs11h_data.certificate_blob);
906
}
907
memset(&ctx->pkcs11h_data, 0, sizeof(ctx->pkcs11h_data));
908
memset(ctx, 0, sizeof(*ctx));
909
}
910
911
static void
912
tf_ecryptfs_pkcs11h_destroy_subgraph_provider_ctx(struct pkcs11h_subgraph_provider_ctx *ctx)
913
{
914
if (ctx->name != NULL) {
915
free(ctx->name);
916
}
917
if (ctx->library != NULL) {
918
free(ctx->library);
919
}
920
memset(ctx, 0, sizeof(*ctx));
921
}
922
923
static int tf_pkcs11h_global_loglevel(struct ecryptfs_ctx *ctx, struct param_node *node,
924
struct val_node **mnt_params, void **foo)
925
{
926
int rc;
927
928
pkcs11h_setLogLevel (atoi (node->val));
929
930
rc = DEFAULT_TOK;
931
node->val = NULL;
932
out:
933
return rc;
934
}
935
936
static int tf_pkcs11h_global_pincache(struct ecryptfs_ctx *ctx, struct param_node *node,
937
struct val_node **mnt_params, void **foo)
938
{
939
int rc;
940
941
pkcs11h_setPINCachePeriod (atoi (node->val));
942
943
rc = DEFAULT_TOK;
944
node->val = NULL;
945
out:
946
return rc;
947
}
948
949
static int tf_pkcs11h_provider(struct ecryptfs_ctx *ctx, struct param_node *node,
950
struct val_node **mnt_params, void **foo)
951
{
952
struct pkcs11h_subgraph_provider_ctx *subgraph_provider_ctx;
953
int rc;
954
955
if ((subgraph_provider_ctx = malloc(sizeof(*ctx)))
956
== NULL) {
957
rc = -ENOMEM;
958
goto out;
959
}
960
memset(subgraph_provider_ctx, 0, sizeof(*ctx));
961
962
(*foo) = (void *)subgraph_provider_ctx;
963
rc = DEFAULT_TOK;
964
node->val = NULL;
965
out:
966
return rc;
967
}
968
969
static int tf_pkcs11h_provider_name(struct ecryptfs_ctx *ctx, struct param_node *node,
970
struct val_node **mnt_params, void **foo)
971
{
972
struct pkcs11h_subgraph_provider_ctx *subgraph_provider_ctx;
973
int rc;
974
975
subgraph_provider_ctx = (struct pkcs11h_subgraph_provider_ctx *)(*foo);
976
if ((rc = asprintf(&subgraph_provider_ctx->name, "%s", node->val))
977
== -1) {
978
rc = MOUNT_ERROR;
979
goto out;
980
}
981
rc = DEFAULT_TOK;
982
node->val = NULL;
983
out:
984
return rc;
985
}
986
987
static int tf_pkcs11h_provider_library(struct ecryptfs_ctx *ctx, struct param_node *node,
988
struct val_node **mnt_params, void **foo)
989
{
990
struct pkcs11h_subgraph_provider_ctx *subgraph_provider_ctx;
991
int rc;
992
993
subgraph_provider_ctx = (struct pkcs11h_subgraph_provider_ctx *)(*foo);
994
if ((rc = asprintf(&subgraph_provider_ctx->library, "%s", node->val))
995
== -1) {
996
rc = MOUNT_ERROR;
997
goto out;
998
}
999
rc = DEFAULT_TOK;
1000
node->val = NULL;
1001
out:
1002
return rc;
1003
}
1004
1005
static int tf_pkcs11h_provider_prot_auth(struct ecryptfs_ctx *ctx, struct param_node *node,
1006
struct val_node **mnt_params, void **foo)
1007
{
1008
struct pkcs11h_subgraph_provider_ctx *subgraph_provider_ctx;
1009
int rc;
1010
1011
subgraph_provider_ctx = (struct pkcs11h_subgraph_provider_ctx *)(*foo);
1012
sscanf (node->val, "%x", &subgraph_provider_ctx->allow_protected_authentication);
1013
rc = DEFAULT_TOK;
1014
node->val = NULL;
1015
out:
1016
return rc;
1017
}
1018
1019
static int tf_pkcs11h_provider_cert_private(struct ecryptfs_ctx *ctx, struct param_node *node,
1020
struct val_node **mnt_params, void **foo)
1021
{
1022
struct pkcs11h_subgraph_provider_ctx *subgraph_provider_ctx;
1023
int rc;
1024
1025
subgraph_provider_ctx = (struct pkcs11h_subgraph_provider_ctx *)(*foo);
1026
sscanf (node->val, "%x", &subgraph_provider_ctx->certificate_is_private);
1027
rc = DEFAULT_TOK;
1028
node->val = NULL;
1029
out:
1030
return rc;
1031
}
1032
1033
static int tf_pkcs11h_provider_private_mask(struct ecryptfs_ctx *ctx, struct param_node *node,
1034
struct val_node **mnt_params, void **foo)
1035
{
1036
struct pkcs11h_subgraph_provider_ctx *subgraph_provider_ctx;
1037
CK_RV rv = CKR_FUNCTION_FAILED;
1038
int rc;
1039
1040
subgraph_provider_ctx = (struct pkcs11h_subgraph_provider_ctx *)(*foo);
1041
sscanf (node->val, "%x", &subgraph_provider_ctx->private_mask);
1042
1043
1044
if (
1045
(rv = pkcs11h_addProvider (
1046
subgraph_provider_ctx->name,
1047
subgraph_provider_ctx->library,
1048
subgraph_provider_ctx->allow_protected_authentication != 0,
1049
subgraph_provider_ctx->private_mask,
1050
PKCS11H_SLOTEVENT_METHOD_AUTO,
1051
0,
1052
subgraph_provider_ctx->certificate_is_private != 0
1053
)) != CKR_OK
1054
) {
1055
syslog(LOG_ERR, "PKCS#11: Cannot initialize provider '%s' rv=[%ld-'%s']", subgraph_provider_ctx->name, rv, pkcs11h_getMessage (rv));
1056
}
1057
1058
tf_ecryptfs_pkcs11h_destroy_subgraph_provider_ctx(subgraph_provider_ctx);
1059
free(subgraph_provider_ctx);
1060
(*foo) = NULL;
1061
rc = DEFAULT_TOK;
1062
out:
1063
return rc;
1064
}
1065
1066
static int tf_pkcs11h_key_id(struct ecryptfs_ctx *ctx, struct param_node *node,
1067
struct val_node **mnt_params, void **foo)
1068
{
1069
struct pkcs11h_subgraph_key_ctx *subgraph_key_ctx;
1070
int rc;
1071
1072
subgraph_key_ctx = (struct pkcs11h_subgraph_key_ctx *)(*foo);
1073
if ((rc = asprintf(&subgraph_key_ctx->pkcs11h_data.serialized_id, "%s", node->val))
1074
== -1) {
1075
rc = MOUNT_ERROR;
1076
goto out;
1077
}
1078
rc = DEFAULT_TOK;
1079
node->val = NULL;
1080
out:
1081
return rc;
1082
}
1083
1084
static int tf_pkcs11h_key_passwd(struct ecryptfs_ctx *ctx, struct param_node *node,
1085
struct val_node **mnt_params, void **foo)
1086
{
1087
struct pkcs11h_subgraph_key_ctx *subgraph_key_ctx;
1088
int rc;
1089
1090
subgraph_key_ctx = (struct pkcs11h_subgraph_key_ctx *)(*foo);
1091
if ((rc = asprintf(&subgraph_key_ctx->pkcs11h_data.passphrase, "%s",
1092
node->val)) == -1) {
1093
rc = MOUNT_ERROR;
1094
goto out;
1095
}
1096
node->val = NULL;
1097
rc = DEFAULT_TOK;
1098
out:
1099
return rc;
1100
}
1101
1102
static int tf_pkcs11h_key_x509file(struct ecryptfs_ctx *ctx, struct param_node *node,
1103
struct val_node **mnt_params, void **foo)
1104
{
1105
struct pkcs11h_subgraph_key_ctx *subgraph_key_ctx;
1106
X509 *x509 = NULL;
1107
unsigned char *p = NULL;
1108
FILE *fp = NULL;
1109
int rc;
1110
1111
subgraph_key_ctx = (struct pkcs11h_subgraph_key_ctx *)(*foo);
1112
1113
if (node->val != NULL && strlen(node->val) > 0) {
1114
if ((fp = fopen (node->val, "r")) == NULL) {
1115
syslog(LOG_ERR, "PKCS#11: Cannot open file '%s'", node->val);
1116
rc = -errno;
1117
goto out;
1118
}
1119
1120
if (
1121
!PEM_read_X509 (
1122
fp,
1123
&x509,
1124
NULL,
1125
0
1126
)
1127
) {
1128
x509 = NULL;
1129
syslog(LOG_ERR, "PKCS#11: Cannot read PEM from file '%s'", node->val);
1130
rc = -EIO;
1131
goto out;
1132
}
1133
1134
if ((subgraph_key_ctx->pkcs11h_data.certificate_blob_size = i2d_X509 (x509, NULL)) < 0 ) {
1135
syslog(LOG_ERR, "PKCS#11: Cannot read decode certificate");
1136
rc = -EIO;
1137
goto out;
1138
}
1139
1140
if (
1141
(subgraph_key_ctx->pkcs11h_data.certificate_blob = (unsigned char *)malloc (
1142
subgraph_key_ctx->pkcs11h_data.certificate_blob_size
1143
)) == NULL
1144
) {
1145
syslog(LOG_ERR, "PKCS#11: Cannot allocate memory");
1146
rc = -ENOMEM;
1147
goto out;
1148
}
1149
1150
/*
1151
* i2d_X509 increments p!!!
1152
*/
1153
p = subgraph_key_ctx->pkcs11h_data.certificate_blob;
1154
1155
if ((subgraph_key_ctx->pkcs11h_data.certificate_blob_size = i2d_X509 (x509, &p)) < 0) {
1156
syslog(LOG_ERR, "PKCS#11: Cannot read decode certificate");
1157
goto out;
1158
}
1159
}
1160
1161
node->val = NULL;
1162
if ((rc = ecryptfs_pkcs11h_process_key(subgraph_key_ctx, mnt_params))) {
1163
syslog(LOG_ERR, "PKCS#11: Error processing PKCS#11 key; rc=[%d]", rc);
1164
goto out;
1165
}
1166
tf_ecryptfs_pkcs11h_destroy_subgraph_key_ctx(subgraph_key_ctx);
1167
free(subgraph_key_ctx);
1168
(*foo) = NULL;
1169
rc = DEFAULT_TOK;
1170
1171
out:
1172
1173
if (x509 != NULL) {
1174
X509_free(x509);
1175
x509 = NULL;
1176
}
1177
1178
if (fp != NULL) {
1179
fclose (fp);
1180
fp = NULL;
1181
}
1182
1183
return rc;
1184
}
1185
1186
#define PKCS11H_GLOBAL_TOK_LOGLEVEL 0
1187
#define PKCS11H_GLOBAL_TOK_PINCACHE 1
1188
static struct param_node pkcs11h_global_param_nodes[] = {
1189
1190
{.num_mnt_opt_names = 1,
1191
.mnt_opt_names = {"pkcs11-log-level"},
1192
.prompt = "PKCS#11 Log Level",
1193
.val_type = VAL_STR,
1194
.val = NULL,
1195
.display_opts = NULL,
1196
.default_val = "0",
1197
.suggested_val = NULL,
1198
.flags = ECRYPTFS_PARAM_FLAG_ECHO_INPUT,
1199
.num_transitions = 1,
1200
.tl = {{.val = NULL,
1201
.pretty_val = NULL,
1202
.next_token = NULL,
1203
.trans_func = tf_pkcs11h_global_loglevel}}},
1204
1205
{.num_mnt_opt_names = 1,
1206
.mnt_opt_names = {"pkcs11-pin-cache-timeout"},
1207
.prompt = "PKCS#11 Log Level",
1208
.val_type = VAL_STR,
1209
.val = NULL,
1210
.display_opts = NULL,
1211
.default_val = "-1",
1212
.suggested_val = NULL,
1213
.flags = ECRYPTFS_PARAM_FLAG_ECHO_INPUT,
1214
.num_transitions = 1,
1215
.tl = {{.val = NULL,
1216
.pretty_val = NULL,
1217
.next_token = NULL,
1218
.trans_func = tf_pkcs11h_global_pincache}}},
1219
};
1220
1221
#define PKCS11H_PROVIER_TOK_PROVIDER 0
1222
#define PKCS11H_PROVIER_TOK_NAME 1
1223
#define PKCS11H_PROVIER_TOK_LIBRARY 2
1224
#define PKCS11H_PROVIER_TOK_PROT_AUTH 3
1225
#define PKCS11H_PROVIER_TOK_CERT_PRIVATE 4
1226
#define PKCS11H_PROVIER_TOK_PRIVATE_MASK 5
1227
static struct param_node pkcs11h_provider_param_nodes[] = {
1228
1229
{.num_mnt_opt_names = 1,
1230
.mnt_opt_names = {"pkcs11-provider"},
1231
.prompt = "PKCS#11 Provider",
1232
.val_type = VAL_STR,
1233
.val = NULL,
1234
.display_opts = NULL,
1235
.default_val = "",
1236
.suggested_val = NULL,
1237
.flags = DISPLAY_TRANSITION_NODE_VALS | ECRYPTFS_PARAM_FLAG_ECHO_INPUT,
1238
.num_transitions = 1,
1239
.tl = {{.val = "name",
1240
.pretty_val = "PKCS#11 Provider Alias",
1241
.next_token = &pkcs11h_provider_param_nodes[PKCS11H_PROVIER_TOK_NAME],
1242
.trans_func = tf_pkcs11h_provider}}},
1243
1244
{.num_mnt_opt_names = 1,
1245
.mnt_opt_names = {"name"},
1246
.prompt = "PKCS#11 Provider Alias",
1247
.val_type = VAL_STR,
1248
.val = NULL,
1249
.display_opts = NULL,
1250
.default_val = NULL,
1251
.flags = ECRYPTFS_PARAM_FLAG_ECHO_INPUT | VERIFY_VALUE,
1252
.num_transitions = 1,
1253
.tl = {{.val = "library",
1254
.pretty_val = "PKCS#11 Library",
1255
.next_token = &pkcs11h_provider_param_nodes[PKCS11H_PROVIER_TOK_LIBRARY],
1256
.trans_func = tf_pkcs11h_provider_name}}},
1257
1258
{.num_mnt_opt_names = 1,
1259
.mnt_opt_names = {"library"},
1260
.prompt = "PKCS#11 Library",
1261
.val_type = VAL_STR,
1262
.val = NULL,
1263
.display_opts = NULL,
1264
.default_val = NULL,
1265
.flags = ECRYPTFS_PARAM_FLAG_ECHO_INPUT | VERIFY_VALUE,
1266
.num_transitions = 1,
1267
.tl = {{.val = "allow-protected-auth",
1268
.pretty_val = "Allow Protected Authentication",
1269
.next_token = &pkcs11h_provider_param_nodes[PKCS11H_PROVIER_TOK_PROT_AUTH],
1270
.trans_func = tf_pkcs11h_provider_library}}},
1271
1272
{.num_mnt_opt_names = 1,
1273
.mnt_opt_names = {"allow-protected-auth"},
1274
.prompt = "Allow Protected Authentication",
1275
.val_type = VAL_HEX,
1276
.val = NULL,
1277
.display_opts = NULL,
1278
.default_val = "1",
1279
.flags = ECRYPTFS_PARAM_FLAG_ECHO_INPUT | VERIFY_VALUE,
1280
.num_transitions = 1,
1281
.tl = {{.val = "cert-private",
1282
.pretty_val = "Certificate is private object",
1283
.next_token = &pkcs11h_provider_param_nodes[PKCS11H_PROVIER_TOK_CERT_PRIVATE],
1284
.trans_func = tf_pkcs11h_provider_prot_auth}}},
1285
1286
{.num_mnt_opt_names = 1,
1287
.mnt_opt_names = {"cert-private"},
1288
.prompt = "Certificate is private object",
1289
.val_type = VAL_HEX,
1290
.val = NULL,
1291
.display_opts = NULL,
1292
.default_val = "0",
1293
.flags = ECRYPTFS_PARAM_FLAG_ECHO_INPUT | VERIFY_VALUE,
1294
.num_transitions = 1,
1295
.tl = {{.val = "private-mask",
1296
.pretty_val = "Private Key Mask",
1297
.next_token = &pkcs11h_provider_param_nodes[PKCS11H_PROVIER_TOK_PRIVATE_MASK],
1298
.trans_func = tf_pkcs11h_provider_cert_private}}},
1299
1300
{.num_mnt_opt_names = 1,
1301
.mnt_opt_names = {"private-mask"},
1302
.prompt = "Private Key Mask",
1303
.val_type = VAL_HEX,
1304
.val = NULL,
1305
.display_opts = NULL,
1306
.default_val = "0",
1307
.flags = ECRYPTFS_PARAM_FLAG_ECHO_INPUT | VERIFY_VALUE,
1308
.num_transitions = 1,
1309
.tl = {{.val = "pkcs11-provider",
1310
.pretty_val = "PKCS#11 Provider",
1311
.next_token = &pkcs11h_provider_param_nodes[PKCS11H_PROVIER_TOK_PROVIDER],
1312
.trans_func = tf_pkcs11h_provider_private_mask}}},
1313
};
1314
1315
#define PKCS11H_KEY_TOK_TOK 0
1316
#define PKCS11H_KEY_TOK_ID 1
1317
#define PKCS11H_KEY_TOK_PASSWD 2
1318
#define PKCS11H_KEY_TOK_PASS_ENV 3
1319
#define PKCS11H_KEY_TOK_PASS_STDIN 4
1320
#define PKCS11H_KEY_TOK_DEFAULT_PASS 5
1321
#define PKCS11H_KEY_TOK_DEFAULT_X509_FILE 6
1322
static struct param_node pkcs11h_key_param_nodes[] = {
1323
{.num_mnt_opt_names = 1,
1324
.mnt_opt_names = {"keyformat"},
1325
.prompt = "Key format",
1326
.val_type = VAL_STR,
1327
.val = NULL,
1328
.display_opts = NULL,
1329
.default_val = "id",
1330
.flags = ECRYPTFS_PARAM_FLAG_NO_VALUE,
1331
.num_transitions = 1,
1332
.tl = {{.val = "default",
1333
.pretty_val = "PKCS#11 ID",
1334
.next_token = &pkcs11h_key_param_nodes[PKCS11H_KEY_TOK_ID],
1335
.trans_func = NULL}}},
1336
1337
{.num_mnt_opt_names = 1,
1338
.mnt_opt_names = {"id"},
1339
.prompt = "PKCS#11 Serialized ID",
1340
.val_type = VAL_STR,
1341
.val = NULL,
1342
.display_opts = NULL,
1343
.default_val = NULL,
1344
.suggested_val = NULL,
1345
.flags = ECRYPTFS_PARAM_FLAG_ECHO_INPUT,
1346
.num_transitions = 4,
1347
.tl = {{.val = "passwd",
1348
.pretty_val = "",
1349
.next_token = &pkcs11h_key_param_nodes[PKCS11H_KEY_TOK_PASSWD],
1350
.trans_func = tf_pkcs11h_key_id},
1351
{.val = "passenv",
1352
.pretty_val = "Passphrase ENV",
1353
.next_token = &pkcs11h_key_param_nodes[PKCS11H_KEY_TOK_PASS_ENV],
1354
.trans_func = tf_pkcs11h_key_id},
1355
{.val = "passstdin",
1356
.pretty_val = "Passphrase STDIN",
1357
.next_token = &pkcs11h_key_param_nodes[PKCS11H_KEY_TOK_PASS_STDIN],
1358
.trans_func = tf_pkcs11h_key_id},
1359
{.val = "default",
1360
.pretty_val = "Passphrase (empty for interactive)",
1361
.next_token = &pkcs11h_key_param_nodes[PKCS11H_KEY_TOK_DEFAULT_PASS],
1362
.trans_func = tf_pkcs11h_key_id}}},
1363
1364
{.num_mnt_opt_names = 1,
1365
.mnt_opt_names = {"passwd"},
1366
.prompt = "Passphrase (empty for interactive)",
1367
.val_type = VAL_STR,
1368
.val = NULL,
1369
.display_opts = NULL,
1370
.default_val = NULL,
1371
.flags = ECRYPTFS_PARAM_FLAG_MASK_OUTPUT,
1372
.num_transitions = 1,
1373
.tl = {{.val = NULL,
1374
.pretty_val = NULL,
1375
.next_token = NULL,
1376
.trans_func = tf_pkcs11h_key_passwd}}},
1377
1378
{.num_mnt_opt_names = 1,
1379
.mnt_opt_names = {"passenv"},
1380
.prompt = "Passphrase (empty for interactive)",
1381
.val_type = VAL_STR,
1382
.val = NULL,
1383
.display_opts = NULL,
1384
.default_val = NULL,
1385
.flags = ECRYPTFS_PARAM_FLAG_MASK_OUTPUT,
1386
.num_transitions = 1,
1387
.tl = {{.val = NULL,
1388
.pretty_val = NULL,
1389
.next_token = NULL,
1390
.trans_func = tf_pkcs11h_key_passwd}}},
1391
1392
{.num_mnt_opt_names = 1,
1393
.mnt_opt_names = {"passstdin"},
1394
.prompt = "Passphrase (empty for interactive)",
1395
.val_type = VAL_STR,
1396
.val = NULL,
1397
.display_opts = NULL,
1398
.default_val = NULL,
1399
.flags = VERIFY_VALUE | STDIN_REQUIRED,
1400
.num_transitions = 1,
1401
.tl = {{.val = NULL,
1402
.pretty_val = NULL,
1403
.next_token = NULL,
1404
.trans_func = tf_pkcs11h_key_passwd}}},
1405
1406
{.num_mnt_opt_names = 1,
1407
.mnt_opt_names = {"defaultpass"},
1408
.prompt = "Passphrase (empty for interactive)",
1409
.val_type = VAL_STR,
1410
.val = NULL,
1411
.display_opts = NULL,
1412
.default_val = NULL,
1413
.flags = STDIN_REQUIRED,
1414
.num_transitions = 1,
1415
.tl = {{.val = "default",
1416
.pretty_val = "Optional X.509 Certificate PEM file",
1417
.next_token = &pkcs11h_key_param_nodes[PKCS11H_KEY_TOK_DEFAULT_X509_FILE],
1418
.trans_func = tf_pkcs11h_key_passwd}}},
1419
1420
{.num_mnt_opt_names = 1,
1421
.mnt_opt_names = {"x509file"},
1422
.prompt = "Optional X.509 Certificate PEM file",
1423
.val_type = VAL_STR,
1424
.val = NULL,
1425
.display_opts = NULL,
1426
.default_val = NULL,
1427
.flags = ECRYPTFS_PARAM_FLAG_ECHO_INPUT,
1428
.num_transitions = 1,
1429
.tl = {{.val = NULL,
1430
.pretty_val = NULL,
1431
.next_token = NULL,
1432
.trans_func = tf_pkcs11h_key_x509file}}},
1433
};
1434
1435
/**
1436
* tf_pkcs11h_key_enter
1437
* @ctx: The current applicable libecryptfs context struct
1438
* @node: The param_node from which we are transitioning
1439
* @head: The head of the name/value pair list that is being
1440
* constructed as the decision graph is being traversed
1441
* @foo: Arbitary state information for the current subgraph
1442
*
1443
* Each transition from one node in the decision graph to another node
1444
* can have a function executed on the transition event. A transition
1445
* into any given subgraph may require certain housekeeping and
1446
* initialization functions to occur.
1447
*
1448
* The decision graph engine forwards along an arbitrary data
1449
* structure among the nodes of any subgraph. The logic in the
1450
* subgraph can use that data structure to access and maintain
1451
* arbitrary status information that is unique to the function of that
1452
* subgraph.
1453
*/
1454
static int tf_pkcs11h_key_enter(struct ecryptfs_ctx *ctx,
1455
struct param_node *param_node,
1456
struct val_node **mnt_params, void **foo)
1457
{
1458
struct pkcs11h_subgraph_key_ctx *subgraph_key_ctx;
1459
int rc;
1460
1461
if ((subgraph_key_ctx = malloc(sizeof(*ctx)))
1462
== NULL) {
1463
rc = -ENOMEM;
1464
goto out;
1465
}
1466
memset(subgraph_key_ctx, 0, sizeof(*ctx));
1467
if ((rc = ecryptfs_find_key_mod(&subgraph_key_ctx->key_mod, ctx,
1468
param_node->val))) {
1469
syslog(LOG_ERR, "PKCS#11: Cannot find key_mod for param_node with val = [%s]\n", param_node->val);
1470
goto out;
1471
}
1472
1473
if (pkcs11h_key_param_nodes[PKCS11H_KEY_TOK_ID].suggested_val) {
1474
free (pkcs11h_key_param_nodes[PKCS11H_KEY_TOK_ID].suggested_val);
1475
pkcs11h_key_param_nodes[PKCS11H_KEY_TOK_ID].suggested_val = NULL;
1476
}
1477
1478
if (!strcmp (param_node->mnt_opt_names[0], "key")) {
1479
if ((rc = pkcs11h_get_id_list(&pkcs11h_key_param_nodes[PKCS11H_KEY_TOK_ID].suggested_val)) != 0) {
1480
goto out;
1481
}
1482
}
1483
1484
(*foo) = (void *)subgraph_key_ctx;
1485
out:
1486
return rc;
1487
}
1488
1489
struct transition_node pkcs11h_key_transition = {
1490
.val = "pkcs11-helper",
1491
.pretty_val = "PKCS#11 module using pkcs11-helper",
1492
.next_token = &(pkcs11h_key_param_nodes[0]),
1493
.trans_func = tf_pkcs11h_key_enter
1494
};
1495
1496
static int ecryptfs_pkcs11h_get_param_subgraph_trans_node(
1497
struct transition_node **trans, uint32_t version)
1498
{
1499
if ((version & ECRYPTFS_VERSIONING_PUBKEY) == 0)
1500
return -1;
1501
(*trans) = &pkcs11h_key_transition;
1502
return 0;
1503
}
1504
1505
static int ecryptfs_pkcs11h_parse_file(struct param_node *param_nodes)
1506
{
1507
struct ecryptfs_ctx _ctx;
1508
struct ecryptfs_ctx *ctx = &_ctx;
1509
struct ecryptfs_name_val_pair nvp_head;
1510
struct val_node *dummy_mnt_params;
1511
uid_t id;
1512
struct passwd *pw;
1513
char *rcfile_fullpath = NULL;
1514
int fd;
1515
int rc;
1516
1517
if ((pw = getpwuid(getuid())) == NULL) {
1518
rc = -EIO;
1519
goto out;
1520
}
1521
1522
if (asprintf(&rcfile_fullpath, "%s/.ecryptfsrc.pkcs11", pw->pw_dir) == -1) {
1523
rc = -ENOMEM;
1524
goto out;
1525
}
1526
1527
if ((fd = open(rcfile_fullpath, O_RDONLY)) == -1) {
1528
rc = -errno;
1529
goto out;
1530
}
1531
1532
memset(ctx, 0, sizeof(*ctx));
1533
memset(&nvp_head, 0, sizeof(nvp_head));
1534
1535
if ((dummy_mnt_params = malloc(sizeof(*dummy_mnt_params))) == NULL) {
1536
rc = -ENOMEM;
1537
goto out;
1538
}
1539
rc = parse_options_file(fd, &nvp_head);
1540
close(fd);
1541
1542
if (ecryptfs_verbosity) {
1543
struct ecryptfs_name_val_pair *nvp_item = &nvp_head;
1544
1545
while (nvp_item) {
1546
if (ecryptfs_verbosity)
1547
syslog(LOG_INFO, "PKCS#11: name = [%s]; value = [%s]\n",
1548
nvp_item->name, nvp_item->value);
1549
nvp_item = nvp_item->next;
1550
}
1551
}
1552
ctx->nvp_head = &nvp_head;
1553
ecryptfs_eval_decision_graph(ctx, &dummy_mnt_params, param_nodes,
1554
&nvp_head);
1555
1556
rc = 0;
1557
out:
1558
if (rcfile_fullpath != NULL) {
1559
free(rcfile_fullpath);
1560
}
1561
1562
return rc;
1563
}
1564
1565
static int ecryptfs_pkcs11h_init(char **alias)
1566
{
1567
CK_RV rv = CKR_FUNCTION_FAILED;
1568
int rc = 0;
1569
1570
if (asprintf(alias, "pkcs11") == -1) {
1571
syslog(LOG_ERR, "PKCS#11: Out of memory\n");
1572
rc = -ENOMEM;
1573
goto out;
1574
}
1575
1576
if ((rv = pkcs11h_initialize ()) != CKR_OK) {
1577
syslog(LOG_ERR, "PKCS#11: Cannot initialize rv=[%ld-'%s']", rv, pkcs11h_getMessage (rv));
1578
rc = -EIO;
1579
goto out;
1580
}
1581
1582
if ((rv = pkcs11h_setLogHook (pkcs11h_log, NULL)) != CKR_OK) {
1583
syslog(LOG_ERR, "PKCS#11: Cannot set hooks rv=[%ld-'%s']", rv, pkcs11h_getMessage (rv));
1584
rc = -EIO;
1585
goto out;
1586
}
1587
1588
pkcs11h_setLogLevel (PKCS11H_LOG_QUIET);
1589
1590
ecryptfs_pkcs11h_parse_file(pkcs11h_global_param_nodes);
1591
1592
if ((rv = pkcs11h_setTokenPromptHook (pkcs11h_token_prompt, NULL)) != CKR_OK) {
1593
syslog(LOG_ERR, "PKCS#11: Cannot set hooks rv=[%ld-'%s']", rv, pkcs11h_getMessage (rv));
1594
rc = -EIO;
1595
goto out;
1596
}
1597
1598
if ((rv = pkcs11h_setPINPromptHook (pkcs11h_pin_prompt, NULL)) != CKR_OK) {
1599
syslog(LOG_ERR, "PKCS#11: Cannot set hooks rv=[%ld-'%s']", rv, pkcs11h_getMessage (rv));
1600
rc = -EIO;
1601
goto out;
1602
}
1603
1604
if ((rv = pkcs11h_setProtectedAuthentication (1)) != CKR_OK) {
1605
syslog(LOG_ERR, "PKCS#11: Cannot set protected authentication mode rv=[%ld-'%s']", rv, pkcs11h_getMessage (rv));
1606
rc = -EIO;
1607
goto out;
1608
}
1609
1610
ecryptfs_pkcs11h_parse_file(pkcs11h_provider_param_nodes);
1611
1612
rc = 0;
1613
out:
1614
return rc;
1615
}
1616
1617
static int ecryptfs_pkcs11h_finalize(void)
1618
{
1619
if (pkcs11h_key_param_nodes[PKCS11H_KEY_TOK_ID].suggested_val)
1620
free(pkcs11h_key_param_nodes[PKCS11H_KEY_TOK_ID].suggested_val);
1621
pkcs11h_terminate ();
1622
}
1623
1624
static struct ecryptfs_key_mod_ops ecryptfs_pkcs11h_ops = {
1625
.init = &ecryptfs_pkcs11h_init,
1626
.get_gen_key_params = NULL,
1627
.get_gen_key_subgraph_trans_node = NULL,
1628
.get_params = NULL,
1629
.get_param_subgraph_trans_node = &ecryptfs_pkcs11h_get_param_subgraph_trans_node,
1630
.get_blob = NULL,
1631
.get_key_data = NULL,
1632
.get_key_sig = &ecryptfs_pkcs11h_get_key_sig,
1633
.get_key_hint = NULL,
1634
.encrypt = &ecryptfs_pkcs11h_encrypt,
1635
.decrypt = &ecryptfs_pkcs11h_decrypt,
1636
.destroy = NULL,
1637
.finalize = &ecryptfs_pkcs11h_finalize
1638
};
1639
1640
struct ecryptfs_key_mod_ops *get_key_mod_ops(void)
1641
{
1642
return &ecryptfs_pkcs11h_ops;
1643
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.1